Black Hat Launches Control-Alt-Hack Security Card Game

Control-Alt-HAck is a tabletop card game about white hat hacking and was developed by Yoshi Kohno, an associate professor of computer science and engineering at the University of Washington Computer Security and Privacy Research Lab, and Tamara Denning, a doctoral student in the department. Players are professional hackers hired by "Hackers, Inc." to break into secure systems as part of a security audit.

LAS VEGAS—Imagine a game that is easy to play, fun, and teaches you about computer security. Attendees at the Black Hat security conference in Las Vegas got to watch a sample play session of one such game, dubbed Control-Alt-Hack.

A tabletop card game about white hat hacking, Control-Alt-Hack was developed by Yoshi Kohno, an associate professor of computer science and engineering at the University of Washington Computer Security and Privacy Research Lab, and Tamara Denning, a doctoral student in the department. Players are professional hackers hired by "Hackers, Inc." to break into supposedly secure systems as part of a security audit.

"We went out of our way to incorporate humor," Denning said, before adding, "We wanted it to be based in reality, but more importantly, we want it to be fun for the players."

Game MechanicsControl-Alt-Hack is based on Steve Jackson Games' Ninja Burger (now out-of-print but quite popular back in the day). There are 156 game cards in the deck, including 16 hacker characters cards, 56 "mission" cards, 72 "entropy" cards, and 12 attendance cards. The kit also includes 58 hacker cred tokens, to symbolize how cool the player is in the hacking world, and 42 money tokens.

The hacker cards display various personas and characters the player can adopt during the course of the game. The characters avoid the stereotype of the unkempt researcher glued to the computer all day. Instead, players play men and women with a wide-range of interests such as martial arts and rock climbing. The mission cards and entropy cards describe the goals of the player and the various situations they find themselves in.

"Gameifying" SecurityThe goal was to create an environment that would get people talking about security and ask questions as they learn while playing, Adam Shostack, an honary member of the Computer Security and Privacy Research Lab, said during the presentation at Black Hat.

Neil Rubenking recently wrote about how vendors are trying to make security fun through games. An example is Stronghold of Security from Jagex, a free-to-play dungeon with a quest that can't be completed unless the player performs various tasks to secure the user profile. The game also requires players to answer questions about ways to keep their accounts secure in order to pass from one room to another. Another example was the points and badge system built into password manager Dashlane. Users earn badges and other rewards as they select stronger passwords.

Control-Alt-Hack teaches that computer security is more than just running antivirus and goes to great lengths to portray attacker motivations and techniques.

"Go get the game, go play the game, and share the game with others," Shostack urged the attendees. People should also "go make your own games," Shostack said.

AvailabilityWhile it is not designed to be an educational game in the sense that it would teach specific concepts, people playing the game will be exposed to important computer security concepts, Kohno said. Control-Alt-Hack will be most useful in industry and educational settings, engaging students in a classroom or attendees at a conference.

The three-to-six-player-game is designed for a fairly broad—but young— audience, 15 to 30 years of age, with a basic working knowledge of computer science, according to Kohno and Denning. The game is expected to go on sale this fall for $30, but educators can sign up on the game website to receive a free copy while supplies last.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.